00Days
00Hours
00Mins
00Secs
Upto 50% off on URL Shortify, Update URLS, Magic Link & Logify Check out the deals on our products and save big!
WordPress SMS and OTP Login: What Works Today (and What's Coming)

WordPress SMS and OTP Login: What Works Today (and What's Coming)

By KaizenCoders

If you searched for "WordPress SMS login" or "OTP login," you're after the same thing most site owners want: let people sign in without a password, using something faster than digging through an inbox. It's worth being upfront right away — Magic Link is email-only today. SMS login and OTP (one-time-code) login are on the roadmap, not yet available.

That doesn't mean this page is a dead end. The problem SMS/OTP solves — killing the password so users log in with a single-use, time-limited credential — is already solved today with passwordless email magic-link login. This guide covers what works now, why it's a strong option even for mobile-first audiences, and what to expect when SMS/OTP code login ships.

Right now, Magic Link replaces the password prompt with a one-time email link:

  1. The user enters their email address into the login form.
  2. Magic Link generates a single-use, time-limited token and emails them a link.
  3. The user taps the link in their inbox and is signed straight in.
  4. The token is burned on use and expires after a short window, so a glimpsed or forwarded link is worthless soon after.

No password is stored, typed, or remembered. Conceptually it's the exact model an SMS OTP would use — a short-lived, single-use credential — only the delivery channel is email. For the bigger picture, see the passwordless login guide.

Why email login still works well for mobile users

A common worry is that email is too slow for phone-first audiences. In practice, email magic-link login covers most of that ground already:

  • One tap, no typing. On a phone, tapping a link in a notification is nearly as fast as reading a code — and there's no password to fumble on a small keyboard.
  • Reliable when your email is set up right. The number-one reason links feel "slow" is deliverability, not the channel. Sending through an authenticated SMTP provider makes links arrive in seconds. (More on this in the FAQs.)
  • No per-message cost. Email is effectively free to send, so you can offer passwordless login to your whole audience without a gateway bill.

For most sites, well-delivered email magic links are the fast, password-free path today — and they're the foundation SMS/OTP will build on later.

Set up passwordless email login

Install and activate Magic Link from your WordPress dashboard the way you would any plugin (Plugins → Add New, search, install, activate). The Getting Started doc walks through first-run configuration.

Step 2: Confirm email login and the "From" address

Email magic-link login is on by default in most setups. Confirm the "From" address and that your email template looks right. See Getting Started and the free vs Pro features page for what's included on your plan.

Step 3: Set token expiry

Decide how long a link stays valid. Shorter is safer; too short frustrates users who don't check email immediately. A 15-to-30-minute window is a sensible default — tighten it for admin-only access. Manage issued links from Manage Magic Links.

Step 4: Place the login form

Add the login form to a page so users can reach it. Drop the [magic_link_form] shortcode into any page, post, or widget. The shortcode login form doc covers the shortcode and its options.

Step 5: Test the full flow

Open the page in an incognito window, enter an address you control, and confirm the link arrives, logs you in, and that an expired or reused link is rejected. If a link never arrives, that's almost always email deliverability — the troubleshooting guide is the place to start.

On the roadmap: SMS and OTP login (coming soon)

SMS and OTP code login are planned features, not yet available in Magic Link. There are no SMS or OTP settings to enable today, so if you find a guide walking you through "connect your SMS gateway" for this plugin, it's describing something that hasn't shipped.

Here's what the SMS/OTP direction is meant to add once it lands:

  • A one-time code (OTP) or link sent by text instead of email, for audiences that barely open an inbox or live in regions where SMS is more reliable than email.
  • A second channel so a single failed email doesn't lock anyone out.
  • Higher-trust flows where a phone number tied to a real SIM is a stronger signal than a throwaway email.

SMS also brings a real trade-off email doesn't: every text routes through an SMS gateway that charges per message, with rates that vary by country. That's part of why it's being built carefully rather than rushed. When it ships, this guide will cover the actual setup — until then, treat SMS/OTP as "coming soon," not "available now."

What you can pair with email login today

While SMS/OTP is on the roadmap, the passwordless email login that ships now already works alongside the rest of the toolkit: login without a password for any site, WooCommerce passwordless login for stores, and role-based redirects so customers, members, and admins each land where they should. You can manage and audit every issued link from one place — see Manage Magic Links.

Go passwordless today with email magic links

Magic Link removes the password prompt right now with single-use, time-limited email links — with token expiry, the [magic_link_form] shortcode, WooCommerce support, and an audit log. SMS/OTP login is on the roadmap. Get Magic Link

Conclusion

SMS and OTP login are a great fit for some audiences — and they're on the Magic Link roadmap, not yet shipping. What you can do today is remove the password entirely with passwordless email magic-link login: install the plugin, confirm email login and your "From" address, set a sensible expiry, drop in the [magic_link_form] login form, and test. Get your email deliverability right and even mobile-first users get a fast, password-free sign-in — and you'll be ready to add SMS/OTP the moment it lands.

FAQs

Not yet. Magic Link is email-only today; SMS and OTP code login are on the roadmap ("coming soon"), so there are no SMS/OTP settings to enable right now. What works today is passwordless email magic-link login.

Is passwordless email login secure?

Yes. Each link is a single-use, time-limited token, so there's no static password to leak, reuse, or brute-force. Pair a short expiry with Magic Link's throttling and (on Pro) IP/domain restriction for stronger protection.

Will SMS/OTP login cost extra to run?

When it ships, yes — sending a text requires an SMS gateway, and gateways charge per message, with rates that vary by country. Email login has no such per-message cost, which is part of why it's the recommended default.

Is email login fast enough for mobile users?

For most sites, yes — tapping a link beats typing a password, and links arrive in seconds when you send through an authenticated SMTP provider rather than the default PHP mail(). Poor deliverability, not the channel, is the usual cause of slow links.

You set the expiry. A 15-to-30-minute window is the usual balance — long enough to check email, short enough that an exposed link is useless soon after. Every link is also single-use, so it dies the moment it's clicked. See the passwordless login guide.